Custom Login Page Customizer <= 2.5.3 - Escalada de Privilégios Não Autenticada via Redefinição de Senha
Plataforma
wordpress
Componente
login-customizer
Corrigido em
2.5.4
2.5.4
CVE-2025-14975 represents a critical privilege escalation vulnerability within the Custom Login Page Customizer plugin for WordPress. This flaw allows unauthenticated attackers to gain unauthorized access by modifying user passwords, potentially compromising administrator accounts. The vulnerability impacts versions of the plugin up to and including 2.5.3, but a fix is available in version 2.5.4.
Detecte esta CVE no seu projeto
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Impacto e Cenários de Ataquetraduzindo…
The impact of CVE-2025-14975 is severe. An attacker exploiting this vulnerability can completely take over user accounts, including those with administrative privileges. This grants them full control over the WordPress site, enabling them to modify content, install malicious plugins, steal sensitive data, and potentially deface the website. The lack of authentication checks before password updates makes this vulnerability particularly dangerous, as it bypasses standard access controls. Successful exploitation could lead to significant data breaches and reputational damage.
Contexto de Exploraçãotraduzindo…
CVE-2025-14975 was published on 2026-01-08. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation and the critical severity suggest a high probability of exploitation. The vulnerability has not been added to the CISA KEV catalog as of this date. Active campaigns targeting WordPress plugins are common, increasing the risk of this vulnerability being exploited in the wild.
Quem Está em Riscotraduzindo…
WordPress websites utilizing the Custom Login Page Customizer plugin, particularly those running versions prior to 2.5.4, are at significant risk. Shared hosting environments where multiple websites share the same server are especially vulnerable, as a compromise on one site could potentially lead to lateral movement and impact other sites. Sites with weak password policies or a lack of multi-factor authentication are also at increased risk.
Passos de Detecçãotraduzindo…
• wordpress / composer / npm:
grep -r "wp_update_user_password" /var/www/html/wp-content/plugins/custom-login-page-customizer/• wordpress / composer / npm:
wp plugin list --status=active | grep 'custom-login-page-customizer'• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status custom-login-page-customizerLinha do Tempo do Ataque
- Disclosure
disclosure
Inteligência de Ameaças
Status do Exploit
EPSS
0.02% (percentil 5%)
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Inalterado — impacto limitado ao componente vulnerável.
- Confidentiality
- Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
- Integrity
- Alto — o atacante pode escrever, modificar ou excluir qualquer dado.
- Availability
- Alto — falha completa ou esgotamento de recursos. Negação de serviço total.
Software Afetado
Informações do pacote
- Instalações ativas
- 90KNicho
- Avaliação do plugin
- 4.8
- Requer WordPress
- 4.0+
- Compatível até
- 6.9.4
- Requer PHP
- 5.6+
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2025-14975 is to immediately upgrade the Custom Login Page Customizer plugin to version 2.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent further exploitation. While a direct workaround is not available, implementing strong password policies and enabling multi-factor authentication (MFA) on administrator accounts can help reduce the impact of a successful account takeover. After upgrading, verify the fix by attempting to modify a user's password without proper authentication; the action should be denied.
Como corrigir
Atualize para a versão 2.5.4, ou uma versão corrigida mais recente
Boletim de Segurança CVE
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Perguntas frequentestraduzindo…
What is CVE-2025-14975 — Privilege Escalation in Custom Login Page Customizer?
CVE-2025-14975 is a critical vulnerability in the Custom Login Page Customizer plugin for WordPress allowing unauthenticated attackers to change user passwords, leading to account takeover.
Am I affected by CVE-2025-14975 in Custom Login Page Customizer?
You are affected if you are using the Custom Login Page Customizer plugin version 2.5.3 or earlier. Upgrade to 2.5.4 to resolve the issue.
How do I fix CVE-2025-14975 in Custom Login Page Customizer?
Upgrade the Custom Login Page Customizer plugin to version 2.5.4 or later. If immediate upgrade is not possible, disable the plugin temporarily.
Is CVE-2025-14975 being actively exploited?
While no public exploit is currently available, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation.
Where can I find the official Custom Login Page Customizer advisory for CVE-2025-14975?
Refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.